Your hard drive will self-destruct at 2pm: Inside the South Korean cyberattack

But the defacement of a website during the attack may be a separate problem.

A cyberattack in South Korea on Wednesday took the networks of several companies offline. While some recovered in a matter of hours, South Korea's public broadcasting organization, KBS, is still offline. But the identity of the person or group behind the attacks is still an open question—one muddied by the hackers who are taking credit for at least part of it. It's not clear at this point if the attack was state-sponsored, cyberwarfare by North Korea, or simply an act of cyberterrorism by hackers looking to make a virtual name for themselves.

As we reported earlier, at about 2pm Seoul time, the networks of three broadcasters and three banks were affected by an attack that disrupted their networks, possibly caused by malware. But while malware was initially blamed for the outage, the malware that's been discovered thus far could not have taken networks down by itself. There was a lot more going on than just a malware attack; the convergence of multiple types of attacks suggests a coordinated effort by an organized attacker.

The latest update from South Korean officials is that the attack emanated from a Chinese IP address. But the identity of the attackers is still unclear.

The “wiper”

The malware portion of the cyberattack that has been uncovered thus far by investigators was a "wiper"—a strain of a Windows trojan that was identified by Sophos as malware it had discovered over a year ago—similar in behavior to part of the Shamoon virus that attacked energy companies in the Middle East last summer. But other than its function, the malware used in the South Korea attacks bears no resemblance to Shamoon or other viruses that have been used in "cyberwar" attacks.

In an interview with Ars Technica, Director of Operations for Symantec Security Response Liam O'Murchu said that the malware, which his company identifies as Trojan.Jokra, showed no signs of being anything remarkable. "Nothing stands out about it," he said. The "dropper" portion of the attack—the malware that installed the "wiper" component—is still being analyzed; security firms haven't yet determined how it was distributed.

When activated, the malware first kills processes associated with antivirus and security software. Then it inventories all the drives connected to a system and, starting with the primary drive, begins overwriting the Master Boot Record (MBR) on the disk. Then it does the same to any other drives attached or network-mapped to the computer, O'Murchu said. It "also looks to see if you have any drives connected that aren't mapped to a drive letter." The malware then attempts to do the same to the unmapped drives, forcing the computer to reboot by executing a command-line shutdown. Once the computer reboots, it's unusable without the disk being reformatted and restored.

But not all of the variants of the malware found by researchers act the same. FireEye Senior Researcher Zheng Bu said that in his observations and in those of his colleague, researcher Vinay Pidathala, the malware did not seem to express any network drive attack behaviors. "We can confirm only the MBR part," he said. Additionally, Zheng said that they had one variant that used a clock call API to check the time—waiting for 2pm on March 20 to trigger—while other samples collected lacked the code.

One thing all of the variants had in common was what they used to overwrite the data in the MBR record: the words "PRINCIPES" (which Pidathala pointed out is a Latin word for Roman heavy infantry) and "HASTATI" (a word for Roman light infantry). And the code of the malware, Zheng said, was rather simple. "Malware is usually modularized," he said. "This one is rather simple. It does what it does."

Zheng added that this attack is a "deviation from the current trend" in advanced persistent threat (APT) attacks, which tend to be focused on information stealing rather than destruction. "To be honest, it's been quite a while since we've observed a disruptive malware like this," he said.

But for all its disruption, the "wiper" malware has little if anything to do with the network disruptions that were experienced at about the same time as the virus triggered.

The dropper

The script in the dropper looks specifically for mRemote, an open-source remote connection manager for Windows that keeps profiles for saved connections in an XML file and then searches for configurations for SSH connections to Linux machines with root privileges. If it finds one, it opens the connection with the stored privileges and executes a script that uploads and executes drive-wiping bash batch commands for Linux, Solaris, AIS, or HP-UX. On Linux, the commands delete the /kernel, /usr, /etc, and /home directories.

The defacement

At about the same time as the "wiper" malware was triggered, at least one website of Korean network provider LG U+ was defaced. According to a Reuters report, an LG U+ spokesperson said that the company believed its network had been hacked.

The defacement, an animated webpage complete with audio of maniacal laughter, included "leet-speak" signatures for the hackers in the code. Identifying themselves as "Whois Team," the hackers made no reference to political goals but posted a typical defacement hack manifesto. "We have an Interest in Hacking," the page declared. "This is the Beginning of Our Movement. User Accounts and All Data are in Our Hands. Unfortunately, We have deleted Your Data. We'll be back Soon."

A video capture of the LG site defacement.

Some reported that when the "wiper" malware struck workstations, it showed the same message. But none of the security researchers who spoke with Ars were able to reproduce that in their tests. The defacement, then, appears to have been a separate act—it's impossible to say whether those hacking the site just happened to have incredibly bad timing or if they were involved in the larger cyberattack.

The network outages

Just as the clock struck 2pm Seoul time and triggered the "wiper" malware, the networks of the targeted organizations started going down. Nearly all of the targeted companies used LG U+ as a network provider, so it's possible that hackers could have sent Border Gateway Protocol commands or done other things with network configurations that disrupted the networks of the targeted companies. But it's unlikely that that alone would have taken out the networks of the four companies who were reported "offline" by Internet monitoring company Renesys.

Renesys Senior Analyst Doug Madory posted an analysis that showed that about thirty minutes after the broadcasters' networks went down, the network of Korea Gas Corporation also suffered a roughly two-hour outage, as all 10 of its routed networks apparently went offline. Three of Shinhan Bank's networks dropped offline as well. In a phone conversation with Ars, Madory said, "Korea Gas had two paths out, so it should have been able to fail over. It leads you to believe there was something wrong at their data center."

Still, there's evidence of the impact of something in LG U+'s routing data. The company, which was previously known as LG Datacom, had what Madory called "a small drop in routes. They have 136 network prefixes, and went down [during the attack] to 116, so about 20 networks were dropped."

The Unix attacks in the dropper malware are novel for Windows security threats, but they were dependent on a specific piece of no-longer-supported connection software—so unless it was known that the target companies ran that software on desktops connected to fairly vanilla-configured Unix systems, it's unlikely the attack did much damage.

It's possible that the network outages were caused by the companies themselves as a reaction to the malware, in an effort to stop what may have looked like an active attack. But the "wiper" malware and its installer could have been sitting on desktops for months before they were triggered. Until there's more evidence of how they were introduced onto targeted PCs, there's not much to go on to attribute the attack.

As for the Whois Team, it's not clear they're involved in the larger attack. They could have simply found one vulnerable Web application and left their mark, either out of circumstance or as a move to take credit for an even bigger coup.

40 Reader Comments

If this was NK state sponsored the KCNA would be blaring praises to Kim Jong Un ,the announcement would've been more political and it probably would've been written in Korean....Metkins this blares script kiddie.

This attack comes at a curious time, while a joint Korea-US military exercise dubbed Key Resolve was under way. The exercise ends today (March 21). Also of note is that the three major broadcasting companies (KBS, MBC, YTN) were specifically called out by a North Korean military statement in April 2012 for targets. Plus, there are works underway for reorganizing the South Korean government branches for the new administration that just came to power less than a month ago.

Due to these circumstances, there are tons of conspiracy theories blaming North Korea being floated around about this, especially among local conservative media, despite the lack of hard evidence at the moment. And then North Korea just now decided to add more fuel to the fire by doing what appears to be the start of a major military exercise of its own (air raid warnings, etc.)...

And then North Korea just now decided to add more fuel to the fire by doing what appears to be the start of a major military exercise of its own (air raid warnings, etc.)...

I recall hearing about these exercises being planned by both sides long before the recent escalations. Ratcheting up the rhetoric leading up to this is in tune with the north's typical style when they want to initiate talks, still a scary time to be in Seoul.

If this was NK state sponsored the KCNA would be blaring praises to Kim Jong Un ,the announcement would've been more political and it probably would've been written in Korean....Metkins this blares script kiddie.

Although there is sense in what you say, there isn't any corresponding weight to it, unless you have specific examples from past attacks in which precisely that is what happened.

If this was NK state sponsored the KCNA would be blaring praises to Kim Jong Un ,the announcement would've been more political and it probably would've been written in Korean....Metkins this blares script kiddie.

Although there is sense in what you say, there isn't any corresponding weight to it, unless you have specific examples from past attacks in which precisely that is what happened.

True, but it doesn't seem like NK's way of doing things. You do have a good point and while we know NK has some sort of state sponsored hacking group,we've been unable to pin anything on them yet.So we can only guess... hacking a juicy target like KBS and not bragging about it and not making any snipes at the west or the "puppet government of South Korea" is definitely not NK's MO.So while I believe this whois group is definitely not NK, I won't discount NK from the rest of the attack, as the article stated.

And at the end of the day it won't change anything even if we can pin this on NK. If the sinking of a ship and the shelling of sovereign SK land doesn't provoke any military response, this wont. Kim Jong Un knows this and he's milking the West for all it's worth while his people suffer.

If this was NK state sponsored the KCNA would be blaring praises to Kim Jong Un ,the announcement would've been more political and it probably would've been written in Korean....Metkins this blares script kiddie.

Although there is sense in what you say, there isn't any corresponding weight to it, unless you have specific examples from past attacks in which precisely that is what happened.

True, but it doesn't seem like NK's way of doing things. You do have a good point and while we know NK has some sort of state sponsored hacking group,we've been unable to pin anything on them yet.So we can only guess... hacking a juicy target like KBS and not bragging about it and not making any snipes at the west or the "puppet government of South Korea" is definitely not NK's MO.So while I believe this whois group is definitely not NK, I won't discount NK from the rest of the attack, as the article stated.

And at the end of the day it won't change anything even if we can pin this on NK. If the sinking of a ship and the shelling of sovereign SK land doesn't provoke any military response, this wont. Kim Jong Un knows this and he's milking the West for all it's worth while his people suffer.

I also concur that it reeks of script kiddie. Some reasons I give for this:

1) It looks for the ability to SSH into Linux machines with a root account if found.

This reason tells us that they don't really know Unix or Unix-like systems very well, for most modern Unix and Unix-like systems don't allow root logins (even over SSH).

2) It overwrites just the MBR.

The MBR can be restored. It's not something Jeff K. could do, but most Ars readers could do with a Windows install DVD or a Linux LiveCD.

3) It looks for mRemote.

mRemote isn't supported anymore, according to their website. Also, the SSH protocol has likely had some changes since then, and more likely is the saved connection info is obsolete, and therefore cannot be relied upon to allow a connection (password change, encryption cipher change, etc.).

This malware doesn't have the sophistication that a state-sponsored version would have because the state-sponsored version wouldn't want to prevent data from being accessed. In fact, it wouldn't want anyone to know it was there in the first place.

I'm wondering why there isn't more alarm that three banks were infested. Unless SK is known for shoddy security in general, it seems a bit frightening that what we think of as the best-protected desktops were hit by this attack.

I'm wondering why there isn't more alarm that three banks were infested. Unless SK is known for shoddy security in general, it seems a bit frightening that what we think of as the best-protected desktops were hit by this attack.

Then again... Oracle, Java.

1) There are more attack vectors than just Java.

Also, security is like a chain: it's only as strong as its weakest link. In security, though, your weakest link is usually someone who'll download free screensavers and Zwinkys, not thinking about the possible crapware and malware that comes along with it that penetrates your security defenses.

Then it inventories all the drives connected to a system and, starting with the primary drive, begins overwriting the Master Boot Record (MBR) on the disk. Then it does the same to any other drives attached or network-mapped to the computer, O'Murchu said.

This sounds like it would overwrite the MBR of a network-mapped drive.If they managed that, I am thoroughly impressed

1) It looks for the ability to SSH into Linux machines with a root account if found.

This reason tells us that they don't really know Unix or Unix-like systems very well, for most modern Unix and Unix-like systems don't allow root logins (even over SSH).

On Ubuntu it's as easy as "sudo passwd root" to enable root logins (even over SSH).

The only system I had a very hard time logging in as root is Solaris (root is a role, not a user on the latest Solaris versions).

mstark90 wrote:

2) It overwrites just the MBR.

The MBR can be restored. It's not something Jeff K. could do, but most Ars readers could do with a Windows install DVD or a Linux LiveCD.

You may be thinking about the MBR code. However, the MBR also contains the main partition table. Reconstructing that requires forensic level expertise, unless the partition layout is very simple (one huge partition), and even then it's not that easy.

mstark90 wrote:

3) It looks for mRemote.

mRemote isn't supported anymore, according to their website. Also, the SSH protocol has likely had some changes since then, and more likely is the saved connection info is obsolete, and therefore cannot be relied upon to allow a connection (password change, encryption cipher change, etc.).

If the attacker was aware that mRemote was very popular for his targets, I don't see why this would be the case. Support for mRemote stopped in 2012, and I doubt many admins will uninstall their favorite tool immediately when it became unsupported.

And the SSH protocol doesn't change as much as you think, the last major change was in 2006 (SSH-2). Furthermore, most client and software supports backward compatibility, with a few exceptions.

Then it inventories all the drives connected to a system and, starting with the primary drive, begins overwriting the Master Boot Record (MBR) on the disk. Then it does the same to any other drives attached or network-mapped to the computer, O'Murchu said.

This is very strange. A networked-mapped drive is a logical drive. Logical drives do not have MBRs, and usually you can't even perform low level operations on that drive, so I don't see how you could overwrite anything other than files over the network.

Then it inventories all the drives connected to a system and, starting with the primary drive, begins overwriting the Master Boot Record (MBR) on the disk. Then it does the same to any other drives attached or network-mapped to the computer, O'Murchu said.

This is very strange. A networked-mapped drive is a logical drive. Logical drives do not have MBRs, and usually you can't even perform low level operations on that drive, so I don't see how you could overwrite anything other than files over the network.

That's not to say it succeeds.It goes after whatever drives are mapped to Windows. There's some disagreement over whether the malware attacked network drives; one researcher, as I said in the story, saw no such behavior.

1) It looks for the ability to SSH into Linux machines with a root account if found.This reason tells us that they don't really know Unix or Unix-like systems very well, for most modern Unix and Unix-like systems don't allow root logins (even over SSH).

I think we can assume with near certainty that if the victim had his Windows machine setup to login to a UNIX box as root, then the UNIX box was setup to allow root logins from the Windows machine.

Quote:

This malware doesn't have the sophistication that a state-sponsored version would have because the state-sponsored version wouldn't want to prevent data from being accessed. In fact, it wouldn't want anyone to know it was there in the first place.

Then it inventories all the drives connected to a system and, starting with the primary drive, begins overwriting the Master Boot Record (MBR) on the disk. Then it does the same to any other drives attached or network-mapped to the computer, O'Murchu said.

This sounds like it would overwrite the MBR of a network-mapped drive.If they managed that, I am thoroughly impressed

Drives can be also "network mapped" over iSCSI and in that case the machine can have full access to the underlying physical disk(s) on a block level (sectors).

What this looks to me is a warning to those who do not have good security practices:

1. Where is the physical security to prevent unauthorized access to computers (USB attacks, etc)?2. Where is the firewall and network filter to prevent download of unauthorized applications?3. Where is the group policy setting which prevents random software installation?4. Why are local users also local admins?5. Where is the anti-virus to stop execution of malware?6. Why are they using mRemote instead of PuTTY with password-protected SSH keys on a smartcard?7. Why are they allowing root access over SSH on their Linux machines?8. Why are they using standard SSH port settings?

But "SSH connections to Linux machines with root privileges" should never never never happen, so this wouldn't be a practicable exploit. Right? No one would actually set up a root SSH login? Or even allow root to log in via SSH? If this is the best attack against Linux anyone can come up with, shows how locked down Linux can be.

A lot of popular distributions allow Root SSH by default. You'd be amazed by how many people keep the default settings. Even when disabled, I've seen a lot of admins enable it just to make things easier for them.

A lot of popular distributions allow Root SSH by default. You'd be amazed by how many people keep the default settings. Even when disabled, I've seen a lot of admins enable it just to make things easier for them.

True, but how many corporations allow using the defaults? I want to say none, but I'd be wrong, and I hope those boxes would be extremely difficult to get to due to being hidden behind firewalls, etc.

If this was NK state sponsored the KCNA would be blaring praises to Kim Jong Un ,the announcement would've been more political and it probably would've been written in Korean....Metkins this blares script kiddie.

Although there is sense in what you say, there isn't any corresponding weight to it, unless you have specific examples from past attacks in which precisely that is what happened.

True, but it doesn't seem like NK's way of doing things. You do have a good point and while we know NK has some sort of state sponsored hacking group,we've been unable to pin anything on them yet.So we can only guess... hacking a juicy target like KBS and not bragging about it and not making any snipes at the west or the "puppet government of South Korea" is definitely not NK's MO.So while I believe this whois group is definitely not NK, I won't discount NK from the rest of the attack, as the article stated.

And at the end of the day it won't change anything even if we can pin this on NK. If the sinking of a ship and the shelling of sovereign SK land doesn't provoke any military response, this wont. Kim Jong Un knows this and he's milking the West for all it's worth while his people suffer.

I also concur that it reeks of script kiddie. Some reasons I give for this:

1) It looks for the ability to SSH into Linux machines with a root account if found.

This reason tells us that they don't really know Unix or Unix-like systems very well, for most modern Unix and Unix-like systems don't allow root logins (even over SSH).

No - that's not true. Almost everyone who actually manages a lot of unix boxes allows remote root logins directly. Perhaps they do not allow password for authentication, or require a second form of authentication beyond password, but remote root login is quite common, and commonly allowed via ssh keys (usually from a single more well-secured host).

Sometimes it is done with certificates, sometimes keys, but you need a way to manage lots of servers remotely and quickly, so there is some mechanism that allows direct root access and it's often over ssh. Although, generally, if end users / power users want root access for it's done via sudo, of course.

No - that's not true. Almost everyone who actually manages a lot of unix boxes allows remote root logins directly. Perhaps they do not allow password for authentication, or require a second form of authentication beyond password, but remote root login is quite common, and commonly allowed via ssh keys (usually from a single more well-secured host).

Sometimes it is done with certificates, sometimes keys, but you need a way to manage lots of servers remotely and quickly, so there is some mechanism that allows direct root access and it's often over ssh. Although, generally, if end users / power users want root access for it's done via sudo, of course.

Not where I used to work. We had multiple instances of RHEL and every time I seen our Unix admins log into them via SSH they never used a root login. They always used their own logins and then used sudo or su to get into root mode (depending whether they had one command to execute or many).

1) It looks for the ability to SSH into Linux machines with a root account if found.

This reason tells us that they don't really know Unix or Unix-like systems very well, for most modern Unix and Unix-like systems don't allow root logins (even over SSH).

On Ubuntu it's as easy as "sudo passwd root" to enable root logins (even over SSH).

The only system I had a very hard time logging in as root is Solaris (root is a role, not a user on the latest Solaris versions).

This shouldn't be the case without explicit stupidity. OpenSSH's default sshd_config disables root login even if it is enabled at the console. This is preserved on my BSD and Arch boxes. If Debian and its ilk are still making downstream security changes for literally no good reason after their last little fiasco, there's not much to say that isn't a barely-coherent stream of repeated 'fuck you guys'.

vnicolici wrote:

mstark90 wrote:

2) It overwrites just the MBR.

The MBR can be restored. It's not something Jeff K. could do, but most Ars readers could do with a Windows install DVD or a Linux LiveCD.

You may be thinking about the MBR code. However, the MBR also contains the main partition table. Reconstructing that requires forensic level expertise, unless the partition layout is very simple (one huge partition), and even then it's not that easy.

While this was once true, TestDisk has made it a trivial operation, assuming you are using reasonably-common filesystems.

Any decent attack would mask its real origin and since China has been portrayed by the media as the origin of all these attacks, it makes little wonder that an attacker would proxy via or spoof an address assigned to a Chinese provider. I've setup US IPs physically inside China in my previous life running on an ASN belonging to a US firm.

If I was a Chinese hacker, I wouldn't be attacking from a China owned IP, I'd just proxy to say Russian or somewhere else and attack from there.

Anyways figuring out who an IP address block belongs to doesn't mean much, much deeper forensics is required to figure out where that IP is actually sitting at and even deeper forensics is required to peel through the layers of proxies. A network expert (telecoms/core network types) would be able to notice this and go hey why does this hop take 200ms consistently and measure it out to where it could possibly be physically located then you'd need a systems expert to go through the logs or processes on that machine assuming you get that far to figure out if this was the originating machine or just another proxy layer of the attack.

North Korea exists as a cat's-paw for China. Every time North Korea rattles sabers, they are doing it at the behest of China, who wishes to instill doubt and fear in their Asian neighbors in the ability and will of the United States to protect them.

Then it inventories all the drives connected to a system and, starting with the primary drive, begins overwriting the Master Boot Record (MBR) on the disk. Then it does the same to any other drives attached or network-mapped to the computer, O'Murchu said.

This sounds like it would overwrite the MBR of a network-mapped drive.If they managed that, I am thoroughly impressed

Yeah. How exactly is it possible to overwrite MBR on a mapped network drive???

Then it inventories all the drives connected to a system and, starting with the primary drive, begins overwriting the Master Boot Record (MBR) on the disk. Then it does the same to any other drives attached or network-mapped to the computer, O'Murchu said.

This is very strange. A networked-mapped drive is a logical drive. Logical drives do not have MBRs, and usually you can't even perform low level operations on that drive, so I don't see how you could overwrite anything other than files over the network.

(Not to be picky, but there is a difference between a volume and a partition, and it's usually volumes that are mapped, for example, DOS and Windows map volumes to drive letters such as C:\>).

They don't have MBRs themselves, but can be used to track back the drive chain to sector 0 to get at first physical partition entry in the MBR. Partition Magic and other tools can modify this type of thing. It's even feasible to map out the drive geometry given a very few specific details, and that opens entire doors on what someone can do to a physical drive that is mapped out into logical partitions.

I didn't see any mention if the "wiper" tool checked for/reported back Unix/Linux physical drive mapping over the network: such as /dev/hda1, etc and outright overwrote/deleted those entries. If this tool could do this, it's a moot point on how many EBRs were on the physical drive.

Someone with the right knowledge and knowledge of the systems involved could pull this off, especially if standard default toolchains were used to create the logical partitions on the drives. If standard Linux toolchains were used, for example, a good chunk of the info you need to screw up partitions is handed to you on a silver platter, as they use very specific hex addressing when it comes to partitions, and support two addressing chains that use two very specific hex addresses by default. In fact, for ATA disks, CHS addressing to check is rather small, 14 bits for basic ATA drives, up to 24 bits for ATA-5 drives.

Is it impossible? No. Is it something beyond what script kiddies can do without in-depth knowledge? Yes. Could they do it if they had easy access to the right tools with a GUI interface? Yes.

I mean come on, people have formatted, partitioned, and resized partitions on drives remotely for how many years now?

You can even query remote partitions/drives for some of the exact info needed to do this kind of thing using WMI and other tools. I imagine it is not far-fetched that someone used network-capable tools similar to the Acronis Disk Editor tool, which allows you to read/modify the hex found on drives rather easily. It's a tool I've used myself to recover from a bad sector written to an MBR a time or two. Saved a few "dead" drives that way.

TL;DR More than likely what occurred, is that they destroyed the mapped VOLUMES and not the PARTITIONS (which is a much more low-hanging fruit).

One thing all of the variants had in common was what they used to overwrite the data in the MBR record: the words "PRINCIPES" (which Pidathala pointed out is a Latin word for Roman heavy infantry) and "HASTATI" (a word for Roman light infantry).

thejynxed wrote:I didn't see any mention if the "wiper" tool checked for/reported back Unix/Linux physical drive mapping over the network: such as /dev/hda1, etc and outright overwrote/deleted those entries. If this tool could do this, it's a moot point on how many EBRs were on the physical drive.

Right. Most likely South Korean firms are still using HP-UX and Solaris for security reasons and not the Linux. Another point is, /dev/hda1 is not necessary the first primary drive on Solaris servers. It would not be a wise move for the admins to assigned hda1 as the primary drive. I see this whole thing is a hoax. Another stunt pulled by the U.S.

It really didn't prove anything by any means when they say the hack was coming from a Chinese IP. The Russian could have someone pull hacks here in the U.S. and blame the hacks on the American. Vice-versa. Would it works? I don't see how that would fool anyone?

North Korea exists as a cat's-paw for China. Every time North Korea rattles sabers, they are doing it at the behest of China, who wishes to instill doubt and fear in their Asian neighbors in the ability and will of the United States to protect them.

Oh don't be stupid. What possible value is there to China in destroying bank data and pissing off South Korea?

Spying we understand. Every country spies (no doubt the US has its own malware floating around the Chinese internet trying to get into Chinese military computers). But destroying data is in a completely different league. It's the difference between China flying spy planes along the border with South Korea seeing what they can learn; and China deciding to fire missiles from those spy planes at the three largest skyscrapers in Seoul.

Slight typo that I haven't seen corrected yet: you had a portion on how the dropper did its own damage to UNIX systems such as Linux, Solaris, AIS (sic) and HP_UX and I think you probably meant AIX (the IBM version of UNIX), not AIS. It's easy to see how that happened, the 's' key is very near the 'x' key. Other than that, a very good and very frightening article. Maybe someday hackers can learn to make the pie bigger instead of smaller. (sigh).

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.